@node-core/utils 4.2.3 → 4.4.0

package/README.md

@@ -1,5 +1,5 @@
 # Node.js Core Utilities
-[![npm](https://img.shields.io/npm/v/node-core-utils.svg?style=flat-square)](https://npmjs.org/package/node-core-utils)
+[![npm](https://img.shields.io/npm/v/@node-core/utils.svg?style=flat-square)](https://npmjs.org/package/@node-core/utils)
 [![Build Status](https://img.shields.io/github/actions/workflow/status/nodejs/node-core-utils/nodejs.yml?branch=main&style=flat-square)](https://github.com/nodejs/node-core-utils/workflows/Node.js%20CI/badge.svg?branch=main)
 [![codecov](https://img.shields.io/codecov/c/github/nodejs/node-core-utils.svg?style=flat-square)](https://codecov.io/gh/nodejs/node-core-utils)
 [![Known Vulnerabilities](https://snyk.io/test/github/nodejs/node-core-utils/badge.svg?style=flat-square)](https://snyk.io/test/github/nodejs/node-core-utils)

package/components/git/security.js

@@ -1,5 +1,8 @@
 import CLI from '../../lib/cli.js';
 import SecurityReleaseSteward from '../../lib/prepare_security.js';
+import UpdateSecurityRelease from '../../lib/update_security_release.js';
+import SecurityBlog from '../../lib/security_blog.js';
+import SecurityAnnouncement from '../../lib/security-announcement.js';
 
 export const command = 'security [options]';
 export const describe = 'Manage an in-progress security release or start a new one.';
@@ -8,6 +11,26 @@ const securityOptions = {
   start: {
     describe: 'Start security release process',
     type: 'boolean'
+  },
+  'update-date': {
+    describe: 'Updates the target date of the security release',
+    type: 'string'
+  },
+  'add-report': {
+    describe: 'Extracts data from HackerOne report and adds it into vulnerabilities.json',
+    type: 'string'
+  },
+  'remove-report': {
+    describe: 'Removes a report from vulnerabilities.json',
+    type: 'string'
+  },
+  'pre-release': {
+    describe: 'Create the pre-release announcement',
+    type: 'boolean'
+  },
+  'notify-pre-release': {
+    describe: 'Notify the community about the security release',
+    type: 'boolean'
   }
 };
 
@@ -15,21 +38,94 @@ let yargsInstance;
 
 export function builder(yargs) {
   yargsInstance = yargs;
-  return yargs.options(securityOptions).example(
-    'git node security --start',
-    'Prepare a security release of Node.js');
+  return yargs.options(securityOptions)
+    .example(
+      'git node security --start',
+      'Prepare a security release of Node.js')
+    .example(
+      'git node security --update-date=YYYY/MM/DD',
+      'Updates the target date of the security release'
+    )
+    .example(
+      'git node security --add-report=H1-ID',
+      'Fetches HackerOne report based on ID provided and adds it into vulnerabilities.json'
+    )
+    .example(
+      'git node security --remove-report=H1-ID',
+      'Removes the Hackerone report based on ID provided from vulnerabilities.json'
+    )
+    .example(
+      'git node security --pre-release' +
+      'Create the pre-release announcement on the Nodejs.org repo'
+    ).example(
+      'git node security --notify-pre-release' +
+      'Notifies the community about the security release'
+    );
 }
 
 export function handler(argv) {
   if (argv.start) {
     return startSecurityRelease(argv);
   }
+  if (argv['update-date']) {
+    return updateReleaseDate(argv);
+  }
+  if (argv['pre-release']) {
+    return createPreRelease(argv);
+  }
+  if (argv['add-report']) {
+    return addReport(argv);
+  }
+  if (argv['remove-report']) {
+    return removeReport(argv);
+  }
+  if (argv['notify-pre-release']) {
+    return notifyPreRelease(argv);
+  }
   yargsInstance.showHelp();
 }
 
-async function startSecurityRelease(argv) {
+async function removeReport(argv) {
+  const reportId = argv['remove-report'];
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const update = new UpdateSecurityRelease(cli);
+  return update.removeReport(reportId);
+}
+
+async function addReport(argv) {
+  const reportId = argv['add-report'];
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const update = new UpdateSecurityRelease(cli);
+  return update.addReport(reportId);
+}
+
+async function updateReleaseDate(argv) {
+  const releaseDate = argv['update-date'];
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const update = new UpdateSecurityRelease(cli);
+  return update.updateReleaseDate(releaseDate);
+}
+
+async function createPreRelease() {
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const preRelease = new SecurityBlog(cli);
+  return preRelease.createPreRelease();
+}
+
+async function startSecurityRelease() {
   const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
   const cli = new CLI(logStream);
   const release = new SecurityReleaseSteward(cli);
   return release.start();
 }
+
+async function notifyPreRelease() {
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const preRelease = new SecurityAnnouncement(cli);
+  return preRelease.notifyPreRelease();
+}

package/lib/github/templates/security-pre-release.md

@@ -0,0 +1,30 @@
+---
+date: %ANNOUNCEMENT_DATE%
+category: vulnerability
+title: %RELEASE_DATE% Security Releases
+slug: %SLUG%
+layout: blog-post
+author: The Node.js Project
+---
+
+# Summary
+
+The Node.js project will release new versions of the %AFFECTED_VERSIONS%
+releases lines on or shortly after, %RELEASE_DATE% in order to address:
+
+%VULNERABILITIES%
+%OPENSSL_UPDATES%
+## Impact
+
+%IMPACT%
+
+## Release timing
+
+Releases will be available on, or shortly after, %RELEASE_DATE%.
+
+## Contact and future updates
+
+The current Node.js security policy can be found at https://nodejs.org/en/security/.
+Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

package/lib/prepare_security.js

@@ -1,9 +1,21 @@
 import nv from '@pkgjs/nv';
+import fs from 'node:fs';
+import path from 'node:path';
 import auth from './auth.js';
 import Request from './request.js';
-import fs from 'node:fs';
+import {
+  NEXT_SECURITY_RELEASE_BRANCH,
+  NEXT_SECURITY_RELEASE_FOLDER,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  PLACEHOLDERS,
+  checkoutOnSecurityReleaseBranch,
+  commitAndPushVulnerabilitiesJSON,
+  getSummary,
+  validateDate
+} from './security-release/security-release.js';
 
 export default class SecurityReleaseSteward {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
   constructor(cli) {
     this.cli = cli;
   }
@@ -16,71 +28,171 @@ export default class SecurityReleaseSteward {
     });
 
     const req = new Request(credentials);
-    const create = await cli.prompt(
-      'Create the Next Security Release issue?',
-      { defaultAnswer: true });
-    if (create) {
-      const issue = new SecurityReleaseIssue(req);
-      const content = await issue.buildIssue(cli);
-      const data = await req.createIssue('Next Security Release', content, {
-        owner: 'nodejs-private',
-        repo: 'node-private'
-      });
-      if (data.html_url) {
-        cli.ok('Created: ' + data.html_url);
-      } else {
-        cli.error(data);
-      }
+    const release = new PrepareSecurityRelease(req);
+    const releaseDate = await release.promptReleaseDate(cli);
+    validateDate(releaseDate);
+    const createVulnerabilitiesJSON = await release.promptVulnerabilitiesJSON(cli);
+
+    let securityReleasePRUrl;
+    if (createVulnerabilitiesJSON) {
+      securityReleasePRUrl = await this.createVulnerabilitiesJSON(req, release, { cli });
     }
+
+    const createIssue = await release.promptCreateRelaseIssue(cli);
+
+    if (createIssue) {
+      const content = await release.buildIssue(releaseDate, securityReleasePRUrl);
+      await release.createIssue(content, { cli });
+    };
+
+    cli.ok('Done!');
+  }
+
+  async createVulnerabilitiesJSON(req, release, { cli }) {
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // choose the reports to include in the security release
+    const reports = await release.chooseReports(cli);
+
+    // create the vulnerabilities.json file in the security-release repo
+    const filePath = await release.createVulnerabilitiesJSON(reports, { cli });
+
+    // review the vulnerabilities.json file
+    const review = await release.promptReviewVulnerabilitiesJSON(cli);
+
+    if (!review) {
+      cli.info(`To push the vulnerabilities.json file run:
+        - git add ${filePath}
+        - git commit -m "chore: create vulnerabilities.json for next security release"
+        - git push -u origin ${NEXT_SECURITY_RELEASE_BRANCH}
+        - open a PR on ${release.repository.owner}/${release.repository.repo}`);
+      return;
+    };
+
+    // commit and push the vulnerabilities.json file
+    const commitMessage = 'chore: create vulnerabilities.json for next security release';
+    commitAndPushVulnerabilitiesJSON(filePath, commitMessage, { cli, repository: this.repository });
+
+    const createPr = await release.promptCreatePR(cli);
+
+    if (!createPr) return;
+
+    // create pr on the security-release repo
+    return release.createPullRequest(req, { cli });
   }
 }
 
-class SecurityReleaseIssue {
-  constructor(req) {
+class PrepareSecurityRelease {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  title = 'Next Security Release';
+
+  constructor(req, repository) {
     this.req = req;
-    this.content = '';
-    this.title = 'Next Security Release';
-    this.affectedLines = {};
+    if (repository) {
+      this.repository = repository;
+    }
   }
 
-  getSecurityIssueTemplate() {
-    return fs.readFileSync(
-      new URL(
-        './github/templates/next-security-release.md',
-        import.meta.url
-      ),
-      'utf-8'
-    );
+  promptCreatePR(cli) {
+    return cli.prompt(
+      'Create the Next Security Release PR?',
+      { defaultAnswer: true });
   }
 
-  async buildIssue(cli) {
-    this.content = this.getSecurityIssueTemplate();
-    cli.info('Getting triaged H1 reports...');
-    const reports = await this.req.getTriagedReports();
-    await this.fillReports(cli, reports);
-
-    this.fillAffectedLines(Object.keys(this.affectedLines));
+  async getSecurityIssueTemplate() {
+    const url = 'https://raw.githubusercontent.com/nodejs/node/main/doc/contributing/security-release-process.md';
+    try {
+      // fetch document from nodejs/node main so we dont need to keep a copy
+      const response = await fetch(url);
+      const body = await response.text();
+      // remove everything before the Planning section
+      const index = body.indexOf('## Planning');
+      if (index !== -1) {
+        return body.substring(index);
+      }
+      return body;
+    } catch (error) {
+      this.cli.error(`Could not retrieve the security issue template from ${url}`);
+    }
+  }
 
-    const target = await cli.prompt('Enter target date in YYYY-MM-DD format:', {
+  async promptReleaseDate(cli) {
+    const nextWeekDate = new Date();
+    nextWeekDate.setDate(nextWeekDate.getDate() + 7);
+    // Format the date as YYYY/MM/DD
+    const formattedDate = nextWeekDate.toISOString().slice(0, 10).replace(/-/g, '/');
+    return cli.prompt('Enter target release date in YYYY/MM/DD format:', {
       questionType: 'input',
-      defaultAnswer: 'TBD'
+      defaultAnswer: formattedDate
     });
-    this.fillTargetDate(target);
+  }
+
+  async promptVulnerabilitiesJSON(cli) {
+    return cli.prompt(
+      'Create the vulnerabilities.json?',
+      { defaultAnswer: true });
+  }
 
-    return this.content;
+  async promptCreateRelaseIssue(cli) {
+    return cli.prompt(
+      'Create the Next Security Release issue?',
+      { defaultAnswer: true });
   }
 
-  async fillReports(cli, reports) {
+  async promptReviewVulnerabilitiesJSON(cli) {
+    return cli.prompt(
+      'Please review vulnerabilities.json and press enter to proceed.',
+      { defaultAnswer: true });
+  }
+
+  async buildIssue(releaseDate, securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL) {
+    const template = await this.getSecurityIssueTemplate();
+    const content = template.replace(PLACEHOLDERS.releaseDate, releaseDate)
+      .replace(PLACEHOLDERS.vulnerabilitiesPRURL, securityReleasePRUrl);
+    return content;
+  }
+
+  async createIssue(content, { cli }) {
+    const data = await this.req.createIssue(this.title, content, this.repository);
+    if (data.html_url) {
+      cli.ok(`Created: ${data.html_url}`);
+    } else {
+      cli.error(data);
+      process.exit(1);
+    }
+  }
+
+  async chooseReports(cli) {
+    cli.info('Getting triaged H1 reports...');
+    const reports = await this.req.getTriagedReports();
     const supportedVersions = (await nv('supported'))
-      .map((v) => v.versionName + '.x')
+      .map((v) => `${v.versionName}.x`)
       .join(',');
+    const selectedReports = [];
 
-    let reportsContent = '';
     for (const report of reports.data) {
-      const { id, attributes: { title }, relationships: { severity } } = report;
-      const reportLevel = severity ? severity.data.attributes.rating : 'TBD';
+      const {
+        id, attributes: { title, cve_ids, created_at },
+        relationships: { severity, weakness, reporter }
+      } = report;
+      const link = `https://hackerone.com/reports/${id}`;
+      let reportSeverity = {
+        rating: '',
+        cvss_vector_string: '',
+        weakness_id: ''
+      };
+      if (severity?.data?.attributes?.cvss_vector_string) {
+        const { cvss_vector_string, rating } = severity.data.attributes;
+        reportSeverity = {
+          cvss_vector_string,
+          rating,
+          weakness_id: weakness?.data?.id
+        };
+      }
+
       cli.separator();
-      cli.info(`Report: ${id} - ${title} (${reportLevel})`);
+      cli.info(`Report: ${link} - ${title} (${reportSeverity?.rating})`);
       const include = await cli.prompt(
         'Would you like to include this report to the next security release?',
         { defaultAnswer: true });
@@ -88,30 +200,72 @@ class SecurityReleaseIssue {
         continue;
       }
 
-      reportsContent +=
-        `  * **[${id}](https://hackerone.com/bugs?subject=nodejs&report_id=${id}) - ${title} (TBD) - (${reportLevel})**\n`;
       const versions = await cli.prompt('Which active release lines this report affects?', {
         questionType: 'input',
         defaultAnswer: supportedVersions
       });
-      for (const v of versions.split(',')) {
-        if (!this.affectedLines[v]) this.affectedLines[v] = true;
-        reportsContent += `    * ${v} - TBD\n`;
-      }
+      const summaryContent = await getSummary(id, this.req);
+
+      selectedReports.push({
+        id,
+        title,
+        cve_ids,
+        severity: reportSeverity,
+        summary: summaryContent ?? '',
+        affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
+        link,
+        reporter: reporter.data.attributes.username,
+        created_at // when we request CVE we need to input vulnerability_discovered_at
+      });
     }
-    this.content = this.content.replace('%REPORTS%', reportsContent);
+    return selectedReports;
   }
 
-  fillAffectedLines(affectedLines) {
-    let affected = '';
-    for (const line of affectedLines) {
-      affected += `  * ${line} - TBD\n`;
+  async createVulnerabilitiesJSON(reports, { cli }) {
+    cli.separator('Creating vulnerabilities.json...');
+    const file = JSON.stringify({
+      reports
+    }, null, 2);
+
+    const folderPath = path.join(process.cwd(), NEXT_SECURITY_RELEASE_FOLDER);
+    try {
+      await fs.accessSync(folderPath);
+    } catch (error) {
+      await fs.mkdirSync(folderPath, { recursive: true });
     }
-    this.content =
-      this.content.replace('%AFFECTED_LINES%', affected);
+
+    const fullPath = path.join(folderPath, 'vulnerabilities.json');
+    fs.writeFileSync(fullPath, file);
+    cli.ok(`Created ${fullPath} `);
+
+    return fullPath;
   }
 
-  fillTargetDate(date) {
-    this.content = this.content.replace('%RELEASE_DATE%', date);
+  async createPullRequest(req, { cli }) {
+    const { owner, repo } = this.repository;
+    const response = await req.createPullRequest(
+      this.title,
+      'List of vulnerabilities to be included in the next security release',
+      {
+        owner,
+        repo,
+        base: 'main',
+        head: 'next-security-release'
+      }
+
+    );
+    const url = response?.html_url;
+    if (url) {
+      cli.ok(`Created: ${url}`);
+      return url;
+    }
+    if (response?.errors) {
+      for (const error of response.errors) {
+        cli.error(error.message);
+      }
+    } else {
+      cli.error(response);
+    }
+    process.exit(1);
   }
 }

package/lib/request.js

@@ -77,6 +77,25 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async createPullRequest(title, body, { owner, repo, head, base }) {
+    const url = `https://api.github.com/repos/${owner}/${repo}/pulls`;
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${this.credentials.github}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/vnd.github+json'
+      },
+      body: JSON.stringify({
+        title,
+        body,
+        head,
+        base
+      })
+    };
+    return this.json(url, options);
+  }
+
   async gql(name, variables, path) {
     const query = this.loadQuery(name);
     if (path) {
@@ -113,6 +132,19 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async getReport(reportId) {
+    const url = `https://api.hackerone.com/v1/reports/${reportId}`;
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json'
+      }
+    };
+    return this.json(url, options);
+  }
+
   // This is for github v4 API queries, for other types of queries
   // use .text or .json
   async query(query, variables) {

package/lib/security-announcement.js

@@ -0,0 +1,83 @@
+import {
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  checkoutOnSecurityReleaseBranch,
+  getVulnerabilitiesJSON,
+  validateDate,
+  formatDateToYYYYMMDD
+} from './security-release/security-release.js';
+import auth from './auth.js';
+import Request from './request.js';
+
+export default class SecurityAnnouncement {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  req;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async notifyPreRelease() {
+    const { cli } = this;
+
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+
+    this.req = new Request(credentials);
+
+    // checkout on security release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+    // read vulnerabilities JSON file
+    const content = getVulnerabilitiesJSON(cli);
+    // validate the release date read from vulnerabilities JSON
+    if (!content.releaseDate) {
+      cli.error('Release date is not set in vulnerabilities.json,' +
+        ' run `git node security --update-date=YYYY/MM/DD` to set the release date.');
+      process.exit(1);
+    }
+
+    validateDate(content.releaseDate);
+    const releaseDate = new Date(content.releaseDate);
+
+    await Promise.all([this.createDockerNodeIssue(releaseDate),
+      this.createBuildWGIssue(releaseDate)]);
+  }
+
+  async createBuildWGIssue(releaseDate) {
+    const repository = {
+      owner: 'nodejs',
+      repo: 'build'
+    };
+
+    const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'build');
+    await this.createIssue(title, content, repository);
+  }
+
+  createPreleaseAnnouncementIssue(releaseDate, team) {
+    const title = `[NEXT-SECURITY-RELEASE] Heads up on upcoming Node.js\
+ security release ${formatDateToYYYYMMDD(releaseDate)}`;
+    const content = 'As per security release workflow,' +
+      ` creating issue to give the ${team} team a heads up.`;
+    return { title, content };
+  }
+
+  async createDockerNodeIssue(releaseDate) {
+    const repository = {
+      owner: 'nodejs',
+      repo: 'docker-node'
+    };
+
+    const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
+    await this.createIssue(title, content, repository);
+  }
+
+  async createIssue(title, content, repository) {
+    const data = await this.req.createIssue(title, content, repository);
+    if (data.html_url) {
+      this.cli.ok(`Created: ${data.html_url}`);
+    } else {
+      this.cli.error(data);
+      process.exit(1);
+    }
+  }
+}

package/lib/security-release/security-release.js

@@ -0,0 +1,109 @@
+import { runSync } from '../run.js';
+import nv from '@pkgjs/nv';
+import fs from 'node:fs';
+import path from 'node:path';
+
+export const NEXT_SECURITY_RELEASE_BRANCH = 'next-security-release';
+export const NEXT_SECURITY_RELEASE_FOLDER = 'security-release/next-security-release';
+
+export const NEXT_SECURITY_RELEASE_REPOSITORY = {
+  owner: 'nodejs-private',
+  repo: 'security-release'
+};
+
+export const PLACEHOLDERS = {
+  releaseDate: '%RELEASE_DATE%',
+  vulnerabilitiesPRURL: '%VULNERABILITIES_PR_URL%',
+  preReleasePrivate: '%PRE_RELEASE_PRIV%',
+  postReleasePrivate: '%POS_RELEASE_PRIV%',
+  affectedLines: '%AFFECTED_LINES%',
+  annoucementDate: '%ANNOUNCEMENT_DATE%',
+  slug: '%SLUG%',
+  affectedVersions: '%AFFECTED_VERSIONS%',
+  openSSLUpdate: '%OPENSSL_UPDATES%',
+  impact: '%IMPACT%',
+  vulnerabilities: '%VULNERABILITIES%'
+};
+
+export function checkRemote(cli, repository) {
+  const remote = runSync('git', ['ls-remote', '--get-url', 'origin']).trim();
+  const { owner, repo } = repository;
+  const securityReleaseOrigin = [
+    `https://github.com/${owner}/${repo}.git`,
+    `git@github.com:${owner}/${repo}.git`
+  ];
+
+  if (!securityReleaseOrigin.includes(remote)) {
+    cli.error(`Wrong repository! It should be ${securityReleaseOrigin}`);
+    process.exit(1);
+  }
+}
+
+export function checkoutOnSecurityReleaseBranch(cli, repository) {
+  checkRemote(cli, repository);
+  const currentBranch = runSync('git', ['branch', '--show-current']).trim();
+  cli.info(`Current branch: ${currentBranch} `);
+
+  if (currentBranch !== NEXT_SECURITY_RELEASE_BRANCH) {
+    runSync('git', ['checkout', '-B', NEXT_SECURITY_RELEASE_BRANCH]);
+    cli.ok(`Checkout on branch: ${NEXT_SECURITY_RELEASE_BRANCH} `);
+  };
+}
+
+export function commitAndPushVulnerabilitiesJSON(filePath, commitMessage, { cli, repository }) {
+  checkRemote(cli, repository);
+
+  if (Array.isArray(filePath)) {
+    for (const path of filePath) {
+      runSync('git', ['add', path]);
+    }
+  } else {
+    runSync('git', ['add', filePath]);
+  }
+
+  runSync('git', ['commit', '-m', commitMessage]);
+  runSync('git', ['push', '-u', 'origin', NEXT_SECURITY_RELEASE_BRANCH]);
+  cli.ok(`Pushed commit: ${commitMessage} to ${NEXT_SECURITY_RELEASE_BRANCH}`);
+}
+
+export async function getSupportedVersions() {
+  const supportedVersions = (await nv('supported'))
+    .map((v) => `${v.versionName}.x`)
+    .join(',');
+  return supportedVersions;
+}
+
+export async function getSummary(reportId, req) {
+  const { data } = await req.getReport(reportId);
+  const summaryList = data?.relationships?.summaries?.data;
+  if (!summaryList?.length) return;
+  const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
+  if (!summaries?.length) return;
+  return summaries?.[0].attributes?.content;
+}
+
+export function getVulnerabilitiesJSON(cli) {
+  const vulnerabilitiesJSONPath = path.join(process.cwd(),
+    NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  cli.startSpinner(`Reading vulnerabilities.json from ${vulnerabilitiesJSONPath}..`);
+  const file = JSON.parse(fs.readFileSync(vulnerabilitiesJSONPath, 'utf-8'));
+  cli.stopSpinner(`Done reading vulnerabilities.json from ${vulnerabilitiesJSONPath}`);
+  return file;
+}
+
+export function validateDate(releaseDate) {
+  const value = new Date(releaseDate).valueOf();
+  if (Number.isNaN(value) || value < 0) {
+    throw new Error('Invalid date format');
+  }
+}
+
+export function formatDateToYYYYMMDD(date) {
+  // Get year, month, and day
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, '0'); // Months are zero-based
+  const day = String(date.getDate()).padStart(2, '0');
+
+  // Concatenate year, month, and day with slashes
+  return `${year}/${month}/${day}`;
+}

package/lib/security_blog.js

@@ -0,0 +1,182 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import _ from 'lodash';
+import {
+  PLACEHOLDERS,
+  getVulnerabilitiesJSON,
+  checkoutOnSecurityReleaseBranch,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  validateDate
+} from './security-release/security-release.js';
+
+export default class SecurityBlog {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async createPreRelease() {
+    const { cli } = this;
+
+    // checkout on security release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // read vulnerabilities JSON file
+    const content = getVulnerabilitiesJSON(cli);
+    // validate the release date read from vulnerabilities JSON
+    if (!content.releaseDate) {
+      cli.error('Release date is not set in vulnerabilities.json,' +
+        ' run `git node security --update-date=YYYY/MM/DD` to set the release date.');
+      process.exit(1);
+    }
+
+    validateDate(content.releaseDate);
+    const releaseDate = new Date(content.releaseDate);
+
+    const template = this.getSecurityPreReleaseTemplate();
+    const data = {
+      annoucementDate: await this.getAnnouncementDate(cli),
+      releaseDate: this.formatReleaseDate(releaseDate),
+      affectedVersions: this.getAffectedVersions(content),
+      vulnerabilities: this.getVulnerabilities(content),
+      slug: this.getSlug(releaseDate),
+      impact: this.getImpact(content),
+      openSSLUpdate: await this.promptOpenSSLUpdate(cli)
+    };
+    const month = releaseDate.toLocaleString('en-US', { month: 'long' }).toLowerCase();
+    const year = releaseDate.getFullYear();
+    const fileName = `${month}-${year}-security-releases.md`;
+    const preRelease = this.buildPreRelease(template, data);
+    const file = path.join(process.cwd(), fileName);
+    fs.writeFileSync(file, preRelease);
+    cli.ok(`Pre-release announcement file created at ${file}`);
+  }
+
+  promptOpenSSLUpdate(cli) {
+    return cli.prompt('Does this security release containt OpenSSL updates?', {
+      defaultAnswer: true
+    });
+  }
+
+  formatReleaseDate(releaseDate) {
+    const options = {
+      weekday: 'long',
+      month: 'long',
+      day: 'numeric',
+      year: 'numeric'
+    };
+    return releaseDate.toLocaleDateString('en-US', options);
+  }
+
+  buildPreRelease(template, data) {
+    const {
+      annoucementDate,
+      releaseDate,
+      affectedVersions,
+      vulnerabilities,
+      slug,
+      impact,
+      openSSLUpdate
+    } = data;
+    return template.replaceAll(PLACEHOLDERS.annoucementDate, annoucementDate)
+      .replaceAll(PLACEHOLDERS.slug, slug)
+      .replaceAll(PLACEHOLDERS.affectedVersions, affectedVersions)
+      .replaceAll(PLACEHOLDERS.vulnerabilities, vulnerabilities)
+      .replaceAll(PLACEHOLDERS.releaseDate, releaseDate)
+      .replaceAll(PLACEHOLDERS.impact, impact)
+      .replaceAll(PLACEHOLDERS.openSSLUpdate, this.getOpenSSLUpdateTemplate(openSSLUpdate));
+  }
+
+  getOpenSSLUpdateTemplate(openSSLUpdate) {
+    if (openSSLUpdate) {
+      return '\n## OpenSSL Security updates\n\n' +
+        'This security release includes OpenSSL security updates\n';
+    }
+    return '';
+  }
+
+  getSlug(releaseDate) {
+    const month = releaseDate.toLocaleString('en-US', { month: 'long' });
+    const year = releaseDate.getFullYear();
+    return `${month.toLocaleLowerCase()}-${year}-security-releases`;
+  }
+
+  async getAnnouncementDate(cli) {
+    try {
+      const date = await this.promptAnnouncementDate(cli);
+      validateDate(date);
+      return new Date(date).toISOString();
+    } catch (error) {
+      return PLACEHOLDERS.annoucementDate;
+    }
+  }
+
+  promptAnnouncementDate(cli) {
+    const today = new Date().toISOString().substring(0, 10).replace(/-/g, '/');
+    return cli.prompt('When is the security release going to be announced? ' +
+      'Enter in YYYY/MM/DD format:', {
+      questionType: 'input',
+      defaultAnswer: today
+    });
+  }
+
+  getImpact(content) {
+    const impact = content.reports.reduce((acc, report) => {
+      for (const affectedVersion of report.affectedVersions) {
+        if (acc[affectedVersion]) {
+          acc[affectedVersion].push(report);
+        } else {
+          acc[affectedVersion] = [report];
+        }
+      }
+      return acc;
+    }, {});
+
+    const impactText = [];
+    for (const [key, value] of Object.entries(impact)) {
+      const groupedByRating = Object.values(_.groupBy(value, 'severity.rating'))
+        .map(severity => {
+          if (!severity[0]?.severity?.rating) {
+            this.cli.error(`severity.rating not found for the report ${severity[0].id}. \
+              Please add it manually before continuing.`);
+            process.exit(1);
+          }
+          const firstSeverityRating = severity[0].severity.rating.toLocaleLowerCase();
+          return `${severity.length} ${firstSeverityRating} severity issues`;
+        }).join(', ');
+
+      impactText.push(`The ${key} release line of Node.js is vulnerable to ${groupedByRating}.`);
+    }
+
+    return impactText.join('\n');
+  }
+
+  getVulnerabilities(content) {
+    const grouped = _.groupBy(content.reports, 'severity.rating');
+    const text = [];
+    for (const [key, value] of Object.entries(grouped)) {
+      text.push(`- ${value.length} ${key.toLocaleLowerCase()} severity issues.`);
+    }
+    return text.join('\n');
+  }
+
+  getAffectedVersions(content) {
+    const affectedVersions = new Set();
+    for (const report of Object.values(content.reports)) {
+      for (const affectedVersion of report.affectedVersions) {
+        affectedVersions.add(affectedVersion);
+      }
+    }
+    return Array.from(affectedVersions).join(', ');
+  }
+
+  getSecurityPreReleaseTemplate() {
+    return fs.readFileSync(
+      new URL(
+        './github/templates/security-pre-release.md',
+        import.meta.url
+      ),
+      'utf-8'
+    );
+  }
+}

package/lib/update-v8/constants.js

@@ -34,6 +34,10 @@ const abseilIgnore = `!/third_party/abseil-cpp
 /third_party/abseil-cpp/.github
 /third_party/abseil-cpp/ci`;
 
+const fp16Ignore = `!/third_party/fp16
+/third_party/fp16/src/*
+!/third_party/fp16/src/include`;
+
 export const v8Deps = [
   {
     name: 'trace_event',
@@ -92,5 +96,11 @@ export const v8Deps = [
     repo: 'third_party/abseil-cpp',
     gitignore: abseilIgnore,
     since: 121
+  },
+  {
+    name: 'fp16',
+    repo: 'third_party/fp16/src',
+    gitignore: fp16Ignore,
+    since: 124
   }
 ];

package/lib/update_security_release.js

@@ -0,0 +1,138 @@
+import {
+  NEXT_SECURITY_RELEASE_FOLDER,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  checkoutOnSecurityReleaseBranch,
+  commitAndPushVulnerabilitiesJSON,
+  getSupportedVersions,
+  getSummary,
+  validateDate
+} from './security-release/security-release.js';
+import fs from 'node:fs';
+import path from 'node:path';
+import auth from './auth.js';
+import Request from './request.js';
+
+export default class UpdateSecurityRelease {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async updateReleaseDate(releaseDate) {
+    const { cli } = this;
+
+    try {
+      validateDate(releaseDate);
+    } catch (error) {
+      cli.error('Invalid date format. Please use the format yyyy/mm/dd.');
+      process.exit(1);
+    }
+
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // update the release date in the vulnerabilities.json file
+    const updatedVulnerabilitiesFiles = await this.updateVulnerabilitiesJSON(releaseDate, { cli });
+
+    const commitMessage = `chore: update the release date to ${releaseDate}`;
+    commitAndPushVulnerabilitiesJSON(updatedVulnerabilitiesFiles,
+      commitMessage, { cli, repository: this.repository });
+    cli.ok('Done!');
+  }
+
+  readVulnerabilitiesJSON(vulnerabilitiesJSONPath) {
+    const exists = fs.existsSync(vulnerabilitiesJSONPath);
+
+    if (!exists) {
+      this.cli.error(`The file vulnerabilities.json does not exist at ${vulnerabilitiesJSONPath}`);
+      process.exit(1);
+    }
+
+    return JSON.parse(fs.readFileSync(vulnerabilitiesJSONPath, 'utf8'));
+  }
+
+  getVulnerabilitiesJSONPath() {
+    return path.join(process.cwd(),
+      NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  }
+
+  async updateVulnerabilitiesJSON(releaseDate) {
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    content.releaseDate = releaseDate;
+
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+
+    this.cli.ok(`Updated the release date in vulnerabilities.json: ${releaseDate}`);
+    return [vulnerabilitiesJSONPath];
+  }
+
+  async addReport(reportId) {
+    const { cli } = this;
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+
+    const req = new Request(credentials);
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // get h1 report
+    const { data: report } = await req.getReport(reportId);
+    const { id, attributes: { title, cve_ids }, relationships: { severity, reporter } } = report;
+    // if severity is not set on h1, set it to TBD
+    const reportLevel = severity ? severity.data.attributes.rating : 'TBD';
+
+    // get the affected versions
+    const supportedVersions = await getSupportedVersions();
+    const versions = await cli.prompt('Which active release lines this report affects?', {
+      questionType: 'input',
+      defaultAnswer: supportedVersions
+    });
+
+    // get the team summary from h1 report
+    const summaryContent = await getSummary(id, req);
+
+    const entry = {
+      id,
+      title,
+      cve_ids,
+      severity: reportLevel,
+      summary: summaryContent ?? '',
+      affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
+      reporter: reporter.data.attributes.username
+    };
+
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    content.reports.push(entry);
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    this.cli.ok(`Updated vulnerabilities.json with the report: ${id}`);
+    const commitMessage = `chore: added report ${id} to vulnerabilities.json`;
+    commitAndPushVulnerabilitiesJSON(vulnerabilitiesJSONPath,
+      commitMessage, { cli, repository: this.repository });
+    cli.ok('Done!');
+  }
+
+  removeReport(reportId) {
+    const { cli } = this;
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    const found = content.reports.some((report) => report.id === reportId);
+    if (!found) {
+      cli.error(`Report with id ${reportId} not found in vulnerabilities.json`);
+      process.exit(1);
+    }
+    content.reports = content.reports.filter((report) => report.id !== reportId);
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    this.cli.ok(`Updated vulnerabilities.json with the report: ${reportId}`);
+
+    const commitMessage = `chore: remove report ${reportId} from vulnerabilities.json`;
+    commitAndPushVulnerabilitiesJSON(vulnerabilitiesJSONPath,
+      commitMessage, { cli, repository: this.repository });
+    cli.ok('Done!');
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "4.2.3",
+  "version": "4.4.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -34,35 +34,35 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@listr2/prompt-adapter-enquirer": "^1.0.2",
-    "@node-core/caritat": "^1.2.1",
+    "@listr2/prompt-adapter-enquirer": "^2.0.1",
+    "@node-core/caritat": "^1.3.0",
     "@pkgjs/nv": "^0.2.2",
-    "branch-diff": "^2.1.5",
+    "branch-diff": "^3.0.2",
     "chalk": "^5.3.0",
-    "changelog-maker": "^3.2.6",
+    "changelog-maker": "^4.0.1",
     "cheerio": "^1.0.0-rc.12",
     "clipboardy": "^4.0.0",
     "core-validate-commit": "^4.0.0",
     "figures": "^6.0.1",
-    "ghauth": "^6.0.0",
-    "inquirer": "^9.2.11",
+    "ghauth": "^6.0.1",
+    "inquirer": "^9.2.12",
     "js-yaml": "^4.1.0",
-    "listr2": "^7.0.2",
+    "listr2": "^8.0.1",
     "lodash": "^4.17.21",
     "log-symbols": "^6.0.0",
-    "ora": "^7.0.1",
-    "replace-in-file": "^7.0.2",
-    "undici": "^5.27.2",
+    "ora": "^8.0.1",
+    "replace-in-file": "^7.1.0",
+    "undici": "^6.3.0",
     "which": "^4.0.0",
     "yargs": "^17.7.2"
   },
   "devDependencies": {
-    "@reporters/github": "^1.5.3",
-    "c8": "^8.0.1",
-    "eslint": "^8.53.0",
+    "@reporters/github": "^1.5.4",
+    "c8": "^9.0.0",
+    "eslint": "^8.56.0",
     "eslint-config-standard": "^17.1.0",
-    "eslint-plugin-import": "^2.29.0",
-    "eslint-plugin-n": "^16.2.0",
+    "eslint-plugin-import": "^2.29.1",
+    "eslint-plugin-n": "^16.6.1",
     "eslint-plugin-promise": "^6.1.1",
     "sinon": "^17.0.1"
   }

package/lib/github/templates/next-security-release.md

@@ -1,97 +0,0 @@
-## Planning
-
-* [X] Open an [issue](https://github.com/nodejs-private/node-private) titled
-  `Next Security Release`, and put this checklist in the description.
-
-* [ ] Get agreement on the list of vulnerabilities to be addressed:
-%REPORTS%
-
-* [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private):
-  * [ ] pre-release: %PRE_RELEASE_PRIV%
-  * [ ] post-release: %POS_RELEASE_PRIV%
-    * List vulnerabilities in order of descending severity
-    * Ask the HackerOne reporter if they would like to be credited on the
-      security release blog page
-
-* [ ] Get agreement on the planned date for the release: %RELEASE_DATE%
-
-* [ ] Get release team volunteers for all affected lines:
-%AFFECTED_LINES%
-
-## Announcement (one week in advance of the planned release)
-
-* [ ] Verify that GitHub Actions are working as normal: <https://www.githubstatus.com/>.
-
-* [ ] Check that all vulnerabilities are ready for release integration:
-  * PRs against all affected release lines or cherry-pick clean
-  * Approved
-  * (optional) Approved by the reporter
-    * Build and send the binary to the reporter according to its architecture
-      and ask for a review. This step is important to avoid insufficient fixes
-      between Security Releases.
-  * Have CVEs
-    * Make sure that dependent libraries have CVEs for their issues. We should
-      only create CVEs for vulnerabilities in Node.js itself. This is to avoid
-      having duplicate CVEs for the same vulnerability.
-  * Described in the pre/post announcements
-
-* [ ] Pre-release announcement to nodejs.org blog: TBD
-  (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
-  nodejs/nodejs.org)
-
-* [ ] Pre-release announcement [email](https://groups.google.com/forum/#!forum/nodejs-sec): TBD
-  * Subject: `Node.js security updates for all active release lines, Month Year`
-
-* [ ] CC `oss-security@lists.openwall.com` on pre-release
-  * [ ] Forward the email you receive to `oss-security@lists.openwall.com`.
-
-* [ ] Create a new issue in [nodejs/tweet](https://github.com/nodejs/tweet/issues)
-
-* [ ] Request releaser(s) to start integrating the PRs to be released.
-
-* [ ] Notify [docker-node](https://github.com/nodejs/docker-node/issues) of upcoming security release date:  TBD
-
-* [ ] Notify build-wg of upcoming security release date by opening an issue
-  in [nodejs/build](https://github.com/nodejs/build/issues) to request WG members are available to fix any CI issues: TBD
-
-## Release day
-
-* [ ] [Lock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#before-the-release)
-
-* [ ] The releaser(s) run the release process to completion.
-
-* [ ] [Unlock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#after-the-release)
-
-* [ ] Post-release announcement to Nodejs.org blog:
-  * (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
-    nodejs/nodejs.org)
-
-* [ ] Post-release announcement in reply email: TBD
-
-* [ ] Notify `#nodejs-social` about the release.
-
-* [ ] Comment in [docker-node][] issue that release is ready for integration.
-  The docker-node team will build and release docker image updates.
-
-* [ ] For every H1 report resolved:
-  * Close as Resolved
-  * Request Disclosure
-  * Request publication of H1 CVE requests
-    * (Check that the "Version Fixed" field in the CVE is correct, and provide
-      links to the release blogs in the "Public Reference" section)
-
-* [ ] PR machine-readable JSON descriptions of the vulnerabilities to the
-  [core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core)
-  vulnerability DB.
-  * For each vulnerability add a `#.json` file, one can copy an existing
-    [json](https://github.com/nodejs/security-wg/blob/0d82062d917cb9ddab88f910559469b2b13812bf/vuln/core/78.json)
-    file, and increment the latest created file number and use that as the name
-    of the new file to be added. For example, `79.json`.
-
-* [ ] Close this issue
-
-* [ ] Make sure the PRs for the vulnerabilities are closed.
-
-* [ ] PR in that you stewarded the release in
-  [Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
-  If necessary add the next rotation of the steward rotation.